wannacry | b06b073d7b7686ccb923fe60231758fb74ab56b053aeb0d6c4b546fcaac8dae8

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31d084e2b1846efa6aa8c48e0c15479c.dll
Size

5.0MB
MD5

31d084e2b1846efa6aa8c48e0c15479c
SHA1

9ae7b8f7154dc52b7913a6cc10fe4ecf60fbef7f
SHA256

b06b073d7b7686ccb923fe60231758fb74ab56b053aeb0d6c4b546fcaac8dae8
SHA512

90143e5a66bd6caf8bfe64f6bdcd7e257522953299af4194dc1703cd2bdc568e092d78e0cf8ac5f0509cd08e29e04ad6eea57b32d29ed5a75b3f5c9da59f825a

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3139) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1972 mssecsvc.exe
2716 mssecsvc.exe
3996 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1972	mssecsvc.exe
2716	mssecsvc.exe
3996	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1680 wrote to memory of 5032	1680	rundll32.exe	rundll32.exe
PID 1680 wrote to memory of 5032	1680	rundll32.exe	rundll32.exe
PID 1680 wrote to memory of 5032	1680	rundll32.exe	rundll32.exe
PID 5032 wrote to memory of 1972	5032	rundll32.exe	mssecsvc.exe
PID 5032 wrote to memory of 1972	5032	rundll32.exe	mssecsvc.exe
PID 5032 wrote to memory of 1972	5032	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\31d084e2b1846efa6aa8c48e0c15479c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\31d084e2b1846efa6aa8c48e0c15479c.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5032

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1972

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3996

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
c95275f20af0ca0a731741c603a10d42

SHA1
5ccec9b53c79b16cb8c1477946c5ff23a6a6d72f

SHA256
67f464b9e9484542e5c595de223810bec74dd03db5ef9e93fcc24f136dd34c47

SHA512
5c081f3d043a343bd876d7b007f79b5625b2412e8187859e23fe9b9faf3643d75b889bf151042bd753831662bed71ef798c952220c155ab414c1f7e7683bc8bc

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
c95275f20af0ca0a731741c603a10d42

SHA1
5ccec9b53c79b16cb8c1477946c5ff23a6a6d72f

SHA256
67f464b9e9484542e5c595de223810bec74dd03db5ef9e93fcc24f136dd34c47

SHA512
5c081f3d043a343bd876d7b007f79b5625b2412e8187859e23fe9b9faf3643d75b889bf151042bd753831662bed71ef798c952220c155ab414c1f7e7683bc8bc

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
c95275f20af0ca0a731741c603a10d42

SHA1
5ccec9b53c79b16cb8c1477946c5ff23a6a6d72f

SHA256
67f464b9e9484542e5c595de223810bec74dd03db5ef9e93fcc24f136dd34c47

SHA512
5c081f3d043a343bd876d7b007f79b5625b2412e8187859e23fe9b9faf3643d75b889bf151042bd753831662bed71ef798c952220c155ab414c1f7e7683bc8bc

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
ff7a3af81c0aebe0f7755eb9428f6189

SHA1
42f2b732feb316f58ed5ab500311d2cba8da7f7d

SHA256
9111adf54bd35bf90253ae991d9923f2fa673b465d0d9fca99a60b54f0adc044

SHA512
826640a2e651c092ee46314d19ff07313f25a1863e8a1bcf428a2fced2c6bf9b19bd82ec0237a66f93c047ccdb2fd3f35e1c08f80e0a2fb494d882046dd2dc91

Download Submit
memory/1972-131-0x0000000000000000-mapping.dmp

Download
memory/5032-130-0x0000000000000000-mapping.dmp

Download